Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Subsearch in Pivot child object creation

0

Hi All,

I stumbled into this difficulty when trying to create a child object that (I think ..) need sub search. I have a log from my mailserver as shown below .. each line is an event. I set the sourcetype=SMTP_logs. I manually extracted some fields such as sessionid, mail_from, mail_to, and status.

I successfully created an object in my data model named "SMTP" which has constraint string "sourcetype=SMTP_logs". OK, that part is easy.

And then I want to create a child object that only contains successful SMTP session. As from my logs example below, sessionid 001 and 003 are successful, but not so with sessionid 002. How to select only the events that has successful sessionid ? So only events from sessionid 001 and 003 are selected.

In a normal search, I could simply do a subsearch like [search sourcetype=SMTP status=successful | fields sessionid], it will returns all the successful sessionid. I learned this technique from my previous question in this community forum. But pipes "|" as in "| fields sessionid" is not allowed in the constraint strings when doing child object creation.

So it isn't so much a sub search required as you're just looking to filter on a particular status and the child object inherits the previous constraints from the parent object... but only specifically as you designate.

So what you need to do is make sure that you have a parent object that is set up so that the child can inherit properly... think of each level as what lives "between the pipes" but you get to pick and choose which ones to use.

If you're not completely sure... you can test things out by creating a pivot on the data model and then using the job inspector to see the search that Splunk used... it will show you the whole thing spelled out in search language and you can see if that's what you intended.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.